On Mon, 08 Jun 2009 23:35:21 +0200, Mark S. Miller <erights@google.com>
wrote:
> When the withCredentials flag is set to false, does it also issue an
> "Origin: null" header? If not, then -- given the recommended server
> behavior -- this flag isn't doing its job, since an identified origin
> header is still a form of credential. As mentioned earlier, for
> credential-free same origin requests, it would be adequate either to say
> "Origin: null" or to leave the Origin header absent.
The flag is currently not doing "its job" then. When we designed this
feature we made it only affect HTTP authentication and cookies.
I think we have some freedom to change some of the details here as long as
the motivation is perfectly clear and agreed upon by those that have
already implemented the draft.
I sort of like the idea of having a new (named) constructor or maybe have
the constructor take an argument to indicate credentials are supposed to
be omitted. This would also allow us to drop the withCredentials flag.
--
Anne van Kesteren
http://annevankesteren.nl/